[SCM] Samba Shared Repository - branch master updated

Joseph Sutton jsutton at samba.org
Mon Sep 18 04:30:20 UTC 2023 

On 15/09/23 8:05 pm, Stefan Metzmacher via samba-technical wrote:
> Am 15.09.23 um 10:02 schrieb Stefan Metzmacher via samba-technical:
>> Am 15.09.23 um 00:31 schrieb Andrew Bartlett:
>>> commit 5c580dbdb3e6a70c8d2f5059e2b7293a7e780414
>>> Author: Joseph Sutton<josephsutton at catalyst.net.nz>
>>> Date:   Mon Sep 4 13:20:34 2023 +1200
>>>
>>>      s4:kdc: Add correct Asserted Identity SID in response to an 
>>> S4U2Self request
>>>      I’m not sure exactly how this check was supposed to work. But in 
>>> any
>>>      case, within fast_unwrap_request() the Heimdal KDC replaces the 
>>> outer
>>>      padata with the padata from the inner FAST request. Hence, this 
>>> check
>>>      does not accomplish anything useful: at no point should the KDC 
>>> plugin
>>>      see the outer padata.
>>>      A couple of unwanted consequences resulted from this check. One 
>>> was that
>>>      a client who sent empty FX‐FAST padata within the inner FAST 
>>> request
>>>      would receive the*Authentication Authority*  Asserted Identity SID
>>>      instead of the*Service*  Asserted Identity SID. Another 
>>> consequence was
>>>      that a client could in the same manner bypass the restriction on
>>>      performing S4U2Self with an RODC‐issued TGT.
>>>      Overall, samba_wdc_is_s4u2self_req() is somewhat of a hack. But the
>>>      Heimdal plugin API gives us nothing better to work with.
>>>      Signed-off-by: Joseph Sutton<josephsutton at catalyst.net.nz>
>>>      Reviewed-by: Andrew Bartlett<abartlet at samba.org>
>>
>> Shouldn't we backport this?
> 
> Same for these:
> 
> commit ba1750082adf87a700711f7b99573434f50fc41b
> Author: Joseph Sutton <josephsutton at catalyst.net.nz>
> Date:   Fri Aug 25 11:04:32 2023 +1200
> 
>      claims.idl: Be more lenient in our expectations for the compression 
> of claims
> 
>      384 bytes is not a strict threshold below which claims are never to be
>      compressed. Windows has been known to compress claims a mere 368 bytes
>      in size.
> 
>      Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
>      Reviewed-by: Andrew Bartlett <abartlet at samba.org>
> 
> commit 571ff5f31411689e9eb67ce8df837e79bb1fef2d
> Author: Joseph Sutton <josephsutton at catalyst.net.nz>
> Date:   Fri Aug 25 11:01:09 2023 +1200
> 
>      claims.idl: Allow empty claim value buffers
> 
>      Windows doesn’t reject these, nor do we have any reason to do so.
> 
>      Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
>      Reviewed-by: Andrew Bartlett <abartlet at samba.org>
> 
> metze
> 
> 
> 

I don’t think we need to backport “claims.idl: Be more lenient […]”. It 
will make a difference only to testing against Windows, and I don’t 
believe that difference is likely to be exhibited by our existing tests 
in Samba 4.19. The heuristic by which Windows decides whether or not to 
compress the claims is always liable to be changed, anyway.

Similarly, I don’t think we need to backport “claims.idl: Allow empty 
claim value buffers” either. Apart from testing, Samba 4.19 should never 
be pulling an NDR claims structure in the first place, nor should it 
need to.

The first commit, “s4:kdc: Add correct Asserted Identity SID […]”, is 
probably worth backporting, though.

Regards,
Joseph

More information about the samba-technical mailing list